Snort mailing list archives
Understanding byte_test
From: "Lay, James" <james.lay () wincofoods com>
Date: Thu, 6 Oct 2011 13:41:34 -0600
So...I saw this today..here's the rule: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT AVI DirectShow quicktime parsing overflow attempt "; flow:to_client,established; content:"moov"; content:"vide"; distance:0; content:"stsd"; distance:0; fast_pattern; byte_test:1,>,31,58,relative,big; metadata:policy balanced-ips alert, policy security-ips alert, service http; reference:bugtraq,35139; reference:cve,2009-1537; reference:url,www.microsoft.com/technet/security/advisory/971778.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS09-028.mspx; classtype:attempted-user; sid:15517; rev:6;) If I'm understanding byte_test correctly, this says "test one byte, make sure it's greater than decimal 31 and start processing 58 bytes into the payload, but because our last match was stsd, start at packet 2c5". This then matches byte 2d0, since it's A0 yes? Or am I reading this way wrong? Thanks for any understanding you can shed. James WEB-CLIENT AVI DirectShow quicktime parsing overflow attempt 209.161.5.216 -> bleh IPVer=4 hlen=5 tos=0 dlen=1440 ID=55752 flags=2 offset=0 ttl=60 chksum=32241 Protocol: 6 sport=80 -> dport=2915 Seq=2936503472 Ack=150666001 Off=5 Res=0 Flags=***A**** Win=6432 urp=63069 chksum=0 Payload: 000 : 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D HTTP/1.1 200 OK. 010 : 0A 44 61 74 65 3A 20 54 68 75 2C 20 30 36 20 4F .Date: Thu, 06 O 020 : 63 74 20 32 30 31 31 20 31 39 3A 30 37 3A 34 35 ct 2011 19:07:45 030 : 20 47 4D 54 0D 0A 53 65 72 76 65 72 3A 20 41 70 GMT..Server: Ap 040 : 61 63 68 65 0D 0A 4C 61 73 74 2D 4D 6F 64 69 66 ache..Last-Modif 050 : 69 65 64 3A 20 46 72 69 2C 20 33 30 20 53 65 70 ied: Fri, 30 Sep 060 : 20 32 30 31 31 20 31 39 3A 32 34 3A 35 39 20 47 2011 19:24:59 G 070 : 4D 54 0D 0A 41 63 63 65 70 74 2D 52 61 6E 67 65 MT..Accept-Range 080 : 73 3A 20 62 79 74 65 73 0D 0A 43 6F 6E 74 65 6E s: bytes..Conten 090 : 74 2D 4C 65 6E 67 74 68 3A 20 31 37 38 36 35 34 t-Length: 178654 0a0 : 30 0D 0A 4B 65 65 70 2D 41 6C 69 76 65 3A 20 74 0..Keep-Alive: t 0b0 : 69 6D 65 6F 75 74 3D 35 2C 20 6D 61 78 3D 31 30 imeout=5, max=10 0c0 : 30 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 0..Connection: K 0d0 : 65 65 70 2D 41 6C 69 76 65 0D 0A 43 6F 6E 74 65 eep-Alive..Conte 0e0 : 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 2F 70 6C nt-Type: text/pl 0f0 : 61 69 6E 0D 0A 0D 0A 00 00 00 20 66 74 79 70 4D ain....... ftypM 100 : 34 56 50 00 00 00 01 4D 34 56 50 4D 34 41 20 6D 4VP....M4VPM4A m 110 : 70 34 32 69 73 6F 6D 00 00 15 63 6D 6F 6F 76 00 p42isom...cmoov. 120 : 00 00 6C 6D 76 68 64 00 00 00 00 CA AB C3 E3 CA ..lmvhd......... 130 : AB C3 E3 00 00 02 58 00 00 28 96 00 01 00 00 01 ......X..(...... 140 : 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................ 150 : 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................ 160 : 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 ...........@.... 170 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 180 : 00 00 00 00 00 00 00 00 00 00 03 00 00 0E BE 74 ...............t 190 : 72 61 6B 00 00 00 5C 74 6B 68 64 00 00 00 01 CA rak...\tkhd..... 1a0 : AB C3 CB CA AB C3 E3 00 00 00 01 00 00 00 00 00 ................ 1b0 : 00 28 96 00 00 00 00 00 00 00 00 00 00 00 00 00 .(.............. 1c0 : 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ 1d0 : 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ 1e0 : 00 00 00 40 00 00 00 01 E0 00 00 01 10 00 00 00 ...@............ 1f0 : 00 00 24 65 64 74 73 00 00 00 1C 65 6C 73 74 00 ..$edts....elst. 200 : 00 00 00 00 00 00 01 00 00 28 96 00 00 00 00 00 .........(...... 210 : 01 00 00 00 00 0E 36 6D 64 69 61 00 00 00 20 6D ......6mdia... m 220 : 64 68 64 00 00 00 00 CA AB C3 E3 CA AB C3 E3 00 dhd............. 230 : 00 0B B5 00 00 CA BC 15 C7 00 00 00 00 00 3A 68 ..............:h 240 : 64 6C 72 00 00 00 00 00 00 00 00 76 69 64 65 00 dlr........vide. 250 : 00 00 00 00 00 00 00 00 00 00 00 41 70 70 6C 65 ...........Apple 260 : 20 56 69 64 65 6F 20 4D 65 64 69 61 20 48 61 6E Video Media Han 270 : 64 6C 65 72 00 00 00 0D D4 6D 69 6E 66 00 00 00 dler.....minf... 280 : 14 76 6D 68 64 00 00 00 01 00 00 00 00 00 00 00 .vmhd........... 290 : 00 00 00 00 24 64 69 6E 66 00 00 00 1C 64 72 65 ....$dinf....dre 2a0 : 66 00 00 00 00 00 00 00 01 00 00 00 0C 75 72 6C f............url 2b0 : 20 00 00 00 01 00 00 0D 94 73 74 62 6C 00 00 00 ........stbl... 2c0 : B0 73 74 73 64 00 00 00 00 00 00 00 01 00 00 00 .stsd........... 2d0 : A0 61 76 63 31 00 00 00 00 00 00 00 01 00 00 00 .avc1........... 2e0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 01 E0 01 ................ 2f0 : 10 00 48 00 00 00 48 00 00 00 00 00 00 00 01 00 ..H...H......... 300 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 310 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 320 : 18 FF FF 00 00 00 2E 61 76 63 43 01 42 E0 15 FF .......avcC.B... 330 : 01 00 17 27 42 E0 15 A9 18 3C 11 D8 03 50 60 10 ...'B....<...P`. 340 : 6B 6D E8 03 D2 03 D5 7B DF 01 01 00 04 28 DE 09 km.....{.....(.. 350 : 88 00 00 00 1C 75 75 69 64 6B 68 40 F2 5F 24 4F .....uuidkh@._$O 360 : C5 BA 39 A5 1B CF 03 23 F3 00 00 00 01 00 00 00 ..9....#........ 370 : 18 73 74 74 73 00 00 00 00 00 00 00 01 00 00 02 .stts........... 380 : 07 00 00 00 64 00 00 00 24 73 74 73 73 00 00 00 ....d...$stss... 390 : 00 00 00 00 05 00 00 00 01 00 00 00 79 00 00 00 ............y... 3a0 : F1 00 00 01 69 00 00 01 E1 00 00 03 4C 73 74 73 ....i.......Lsts 3b0 : 63 00 00 00 00 00 00 00 45 00 00 00 01 00 00 00 c.......E....... 3c0 : 09 00 00 00 01 00 00 00 02 00 00 00 06 00 00 00 ................ 3d0 : 01 00 00 00 03 00 00 00 09 00 00 00 01 00 00 00 ................ 3e0 : 04 00 00 00 06 00 00 00 01 00 00 00 05 00 00 00 ................ 3f0 : 09 00 00 00 01 00 00 00 06 00 00 00 06 00 00 00 ................ 400 : 01 00 00 00 07 00 00 00 09 00 00 00 01 00 00 00 ................ 410 : 08 00 00 00 06 00 00 00 01 00 00 00 09 00 00 00 ................ 420 : 09 00 00 00 01 00 00 00 0A 00 00 00 06 00 00 00 ................ 430 : 01 00 00 00 0B 00 00 00 09 00 00 00 01 00 00 00 ................ 440 : 0C 00 00 00 06 00 00 00 01 00 00 00 0D 00 00 00 ................ 450 : 09 00 00 00 01 00 00 00 0E 00 00 00 06 00 00 00 ................ 460 : 01 00 00 00 0F 00 00 00 09 00 00 00 01 00 00 00 ................ 470 : 10 00 00 00 06 00 00 00 01 00 00 00 11 00 00 00 ................ 480 : 09 00 00 00 01 00 00 00 12 00 00 00 06 00 00 00 ................ 490 : 01 00 00 00 13 00 00 00 09 00 00 00 01 00 00 00 ................ 4a0 : 14 00 00 00 06 00 00 00 01 00 00 00 15 00 00 00 ................ 4b0 : 09 00 00 00 01 00 00 00 16 00 00 00 06 00 00 00 ................ 4c0 : 01 00 00 00 17 00 00 00 09 00 00 00 01 00 00 00 ................ 4d0 : 18 00 00 00 06 00 00 00 01 00 00 00 19 00 00 00 ................ 4e0 : 09 00 00 00 01 00 00 00 1A 00 00 00 06 00 00 00 ................ 4f0 : 01 00 00 00 1B 00 00 00 09 00 00 00 01 00 00 00 ................ 500 : 1C 00 00 00 06 00 00 00 01 00 00 00 1D 00 00 00 ................ 510 : 09 00 00 00 01 00 00 00 1E 00 00 00 06 00 00 00 ................ 520 : 01 00 00 00 1F 00 00 00 09 00 00 00 01 00 00 00 ................ 530 : 20 00 00 00 06 00 00 00 01 00 00 00 21 00 00 00 ...........!... 540 : 09 00 00 00 01 00 00 00 22 00 00 00 06 00 00 00 ........"....... 550 : 01 00 00 00 23 00 00 00 09 00 00 00 01 00 00 00 ....#........... 560 : 24 00 00 00 06 00 00 00 01 00 00 00 25 00 00 00 $...........%... 570 : 09 00 00 00 01 00 00 00 ........ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Understanding byte_test Lay, James (Oct 06)
- Re: Understanding byte_test rmkml (Oct 06)